In the field of cloud computing, the subject of data sovereignty has evolved from merely a concept in the beginning to become a convincing sales argument... and indeed a crucial differentiating factor in how cloud service providers market themselves.
This rise to prominence speaks clearly of evolving customer expectations and industry standards for data protection.
Cloud sovereignty: a marketing argument that responds to an actual need
First of all, we need to define what a “sovereign cloud” is. It is a cloud model in which services and infrastructures are managed and controlled by national or regional entities who share the same requirements for standards and security and the same rules as the authorities and public authorities of the national territory in question with regard to data confidentiality, autonomy and independence. The counter-example in this area, for those of us in Europe, concerns American players subject to the “Cloud Act”. The law, passed by the U.S. Congress in 2018, allows U.S. authorities to access data stored by U.S. cloud service providers, even in cases where that data is located outside the United States. This automatically made the announcement of the AWS European Sovereign Cloud obsolete, despite a well-intentioned messaging campaign to the contrary. Companies are therefore – quite rightly – drawn to a sovereign cloud infrastructure for hosting and data processing, for several key factors.
Firstly, such a choice ensures direct control over their sensitive data and protection of their strategic information in line with their own security policies. It also guarantees increased security by reducing the risks associated with unauthorized access from elsewhere in the world. And it also offers the promise of better performance from lower latency, owing to the physical proximity of the data. Ultimately, cloud sovereignty strengthens user confidence; this has, for example, been seen with 3DS Outscale, Cloud Temple, OVHcloud and Scaleway in France, and T-Systems in Germany.
But behind this concept lies a complex debate that raises fundamental questions about the balance between sovereignty, product and service quality, and the associated costs.
It is difficult to effectively defend sovereignty in an environment in which financing, competition and regulation rules vary from country to country. For example, the United States uses government procurement as funding for cybersecurity companies, greatly accelerating their growth and adoption rates. This is not necessarily the case in Europe, where US-based solutions are often even preferred, thus creating competitive imbalances and inequalities. For this reason, a corporate agreement to segment its IT infrastructure with specialists, rather than making use of a global player, despite the potential additional cost, can be seen as a legitimate option for ensuring sovereignty. From a state perspective, this raises the question of introducing taxes on foreign goods or services to compensate for regulatory disparities and ensure fair competition – an approach already taken by a number of governments and institutions.
But realistically, sovereign cloud operators also face limits in their quest for total autonomy, including reliance on hardware and software such as VMware, Veeam, and Kubernetes solutions developed by foreign companies such as Google.
Rethinking the cloud strategy
Although the BtoC cloud battle already seems lost, there is still much to play for in the battle of the BtoB cloud. Sovereign solutions offer a means of compensating for this ubiquity of foreign players, who are mainly US-based (41% of the French cloud is operated by 5 American players, according to an IDC study). But cloud sovereignty is just one element of a global data management and IT security strategy that needs to be flexible if it is to adapt to future changes and new strategic directions.
The right compromise lies in diversifying cloud solutions, avoiding “putting all your eggs in the same basket” and considering reversibility; a hybrid model which combines the sovereign cloud, the standard cloud and on-premise solutions. Companies such as Netflix, which have successfully adopted a multi-cloud approach that simultaneously uses the services of providers such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform, demonstrate the benefits of a multi-cloud strategy in terms of resilience, flexibility, and reduced risk from the failure of a single provider.
In addition, the security of data hosted on these clouds can be enhanced via data encryption technologies with external encryption keys managed by a sovereign player, with the result that sensitive data in storage or in transit can only be read by the sender or recipient.
And lastly, it is vitally important to make data management and exploitation transparent, encouraging companies to provide detailed information on how their own data and that of their customers is managed in the cloud: Operators, national geographic area, managed services, etc. Shared responsibility between cloud service providers and business customers offers a guarantee that data is used in a responsible and secure way.
Many developments are on their way in the cloud space, with the emergence of new technologies such as post-quantum encryption, edge computing, artificial intelligence and blockchain. There is therefore a strong expectation that French and European providers of hosting solutions will be able to offer cutting-edge solutions while remaining flexible and open to innovation. By doing so, they can now position their cloud strategies to take full advantage of future advances and ensure their long-term success, while ensuring our economic sovereignty.